5.3.3 PROD

1.  Cyber Essentials enhancements
2.  ITDR (User Compliance) Overview
3.  File Risk Score in Patch & Assets; Infinity Management with cloud-based threat analysis
4. Major DNS Security Upgrades: streamlined workflows, unified views & improved usability
5. Internal Approval flow GP setting - DNS Endpoint and Network
6. End-user domain reanalysis & allowlist requests submission from the Block page
7.  New Heimdal Dashboard tab - Allowlist requests
8.  Standard, Threat Type, Hostname/Threats, Latest Threats, TTPC, Forensic DNS Security Endpoint & Network views consolidation
9. Brand-new Domain hits (blocks) DNS Security Endpoint & Network view
10. Freshly-implemented Manual Blocklists DNS Security Endpoint & Network view
11.  Import and export CSV option for Allowlist and Blocklist
12.  Alphabetical sorting for Categories in the Block by Category multi-select list
13. OS (Windows) Updates – Management of Click-to-Run updates
14. 3rd Party Patch Management - addition of the CVE column in all the grids from the Assets view
15. 3rd Party Patch Management - ability to add sequencing order to Push Install apps
16.  PXE - Configurable network interface for OS Deployment

Cyber Essentials enhancements

This new Heimdal Production release introduces improvements to the Cyber Essentials compliance reporting and corresponding dashboard views. The goal is to boost clarity and accuracy when determining the Cyber Essentials compliance status for both devices and users.

The update introduces:

•  a new compliance state: Cyber Essentials Undetermined
• updated compliance evaluation logic for several security modules
• additional dashboard statistics and filtering options
• expanded reporting capabilities including all compliance states.

Heimdal now supports three compliance states for both devices and users:

• Cyber Essentials Compliant
• Cyber Essentials Non-Compliant
• Cyber Essentials Undetermined
   

EDR (Device) Compliance Overview

Device compliance within Heimdal Cyber Essentials is determined by evaluating several key security modules. Each module contributes to the overall compliance status based on product module licensing, Group Policy (GP) configuration and whether the module is active on the endpoint.

Patching Compliance

Patching compliance is assessed based on the status of both OS Updates and 3rd Party Patch Management. A device is considered Compliant when both modules are licensed, enabled in the Group Policy and confirmed as active in Device Info. 
If both modules are licensed and enabled, but at least one of them is not active on the device, the device is marked as Non Compliant.
When one or both modules are not licensed or not enabled in Group Policy, the system cannot determine the compliance state, and the device is flagged as Undetermined.
 

NGAV (Next Generation Antivirus)

NGAV compliance reflects whether the antivirus protection is fully deployed and functioning. A device is classified as Cyber Essentials Compliant when NGAV is licensed, enabled in Group Policy and active on the endpoint.
If NGAV is licensed and enabled in GP but not active on the device, the status becomes Cyber Essentials Non Compliant.
Where NGAV is unlicensed or not enabled in GP, the status remains Undetermined, as compliance cannot be properly evaluated.

Firewall Compliance

Firewall compliance follows a similar evaluation process. 
A device is Cyber Essentials Compliant when the Firewall module is licensed, enabled in GP and active on the endpoint.
If the module is licensed and configured in GP but not active on the device, the status shifts to Cyber Essentials Non Compliant.
Where licensing or GP enablement is missing, the compliance state is Undetermined.

Administrator Rights (PEDM)

Administrator rights are controlled through Heimdal PEDM (Privilege Elevation and Delegation Management).
A device is Compliant when PEDM is licensed, enabled in Group Policy, active on the endpoint and the “Revoke existing local admin rights” checkbox is turned enabled.
If PEDM is licensed and enabled in GP but is either inactive on the device or the revocation setting is disabled, the device is considered Non Compliant.
If PEDM is not licensed or not enabled in GP, the compliance state is Undetermined.
 

ITDR (User Compliance) Overview

User compliance is based on Microsoft 365 security configurations.
A user is deemed Compliant when both MFA enforcement and password strength requirements are enabled in Group Policy and correctly aligned with Entra ID configurations.
If any of the required security settings are disabled in Microsoft Entra ID, the user becomes Non Compliant.
A status of Undetermined is assigned when compliance cannot be evaluated due to configuration gaps (such as missing or disabled MFA and password strength checks in Network Settings -> M365) or due to licensing limitations.
 

Note: the password expiration check is no longer part of the Cyber Essentials compliance evaluation.
 

Considering the above mentions, the Heimdal Dashboard -> Unified Management -> Device/User Compliance -> Cyber Essentials, Device and Users views, now display the three compliance statuses.
On top, a new Status filter is available for both aforementioned views, with the following filtering selection options:

• All
• Cyber Essentials Non-Compliant
• Cyber Essentials Undetermined
• Cyber Essentials Compliant

while the pages’ header Statistics reflect the same breakdown:

• Total Devices/Users
• Cyber Essentials Non-Compliant devices/users
• Cyber Essentials Undetermined devices/users
• Cyber Essentials Compliant devices/users

In the Cyber Essentials report, several enhancements are introduced with the Heimdal 5.3.3 production release. Just like in the dashboard, the report now reflects all three compliance states - Cyber Essentials Compliant, Cyber Essentials Non Compliant and Cyber Essentials Undetermined - along with the corresponding statistics. The updates are presented clearly across both device and user dimensions, in both graphical and text formats.

These updates represent another step in Heimdal’s strategic commitment to strengthening the compliance posture of our customers and partners. Cyber Essentials reporting now forms a core pillar of this direction, delivering clearer visibility, actionable insights and a more mature compliance framework. 
And this is just the beginning - additional enhancements to Cyber Essentials reporting are already underway, along with new compliance focused reports designed to further reinforce security assurance across all environments.
 

Heimdal DNS Security Network and Endpoint

• Major DNS Security Upgrades: streamlined workflows, unified views & improved usability

This release brings newly added Domain Reanalysis and Allowlist Approval workflows to DNS Security, enabling more effective false-positive management and greater administrative oversight.

In addition to the newly introduced approval mechanisms, the 5.3.3 PROD update enhances the wider DNS Security experience. It unifies several DNS Security product (dashboard) views, adds two new dashboard areas tailored for improved forensic insight, and incorporates multiple usability refinements designed to make operational handling more intuitive.

“Internal Approval flow” GP setting - DNS Endpoint and Network

A new option in the form of a checkbox - Internal Approval flow - has been added in both Endpoint Settings (DNS Security - DarkLayer Guard™) and Network Settings (DNS Security). When this checkbox is enabled, end users will have the option to submit, from either the Heimdal default block page or the custom one, domain allowlisting requests, while IT Admins will receive and manage these requests directly from the Heimdal Dashboard. Optionally, administrators can require end users to provide a justification when submitting a request, by enabling “Require allowlist reason”.

Note: the “Require allowlist reason” sub option becomes available only after “Internal Approval flow” is enabled.

End-user domain reanalysis & allowlist requests submission from the Block page

The Heimdal DNS Security modules (Endpoint and Network) now provide end users with a direct and efficient way to request domain reanalysis/ allowlisting via a new button displayed on the Heimdal default or custom block pages. Depending on the organization’s Group Policy configuration, these requests can either be sent directly to Heimdal Customer Support or routed to the internal IT team for review and approval in the Dashboard. This enhancement streamlines falsepositive handling, reduces friction and ensures requests are processed compliantly through the appropriate workflow, based on the configured approval settings. When the “Allowlist Approval flow” setting is disabled in the Endpoint or Network Settings, end users attempting to access a domain blocked by DNS Security will be presented with a “Website reanalysis request” button on the block page. When the button is pressed, a domain reanalysis request is submitted directly to Heimdal Customer Support, where the team evaluates it based on internal checks and available intelligence to determine whether the domain should remain blocked or be reclassified.

Note: The Website reanalysis requests will not appear in the Heimdal Dashboard for administrative review.

Alternatively, if the “Internal Approval flow” option is enabled, the block page (default or custom) will instead display a “Send Allowlist Request” button. Selecting this option submits the request to the customer’s IT administrator, where it becomes visible in the Heimdal Dashboard for review. 

If the “Require Allowlist Reason” sub-option is also enabled, the end user will be prompted to enter a justification in a free-text field (maximum 100 characters). Upon submission, the request (together with the reasoning) is forwarded to the Heimdal Dashboard for administrative review.

New Heimdal Dashboard tab – “Allowlist Requests”

In order to support the brand new DNS allowlist approval workflow, a new tab is available under Products - DNS Security - Network & Endpoint: “Allowlist Requests”. The Allowlist Requests tab provides two sub views (selectable from a drop-down list):

• Pending Approval - displays all requests awaiting administrator action (approve or deny). This is the default view when accessing the tab.
• History - displays all previously processed requests, including both approved and denied entries.

The approval workflow is initiated by selecting one or more requests from the Pending Approval sub view. Once selected (checked), the “Select what action to take” drop-down menu becomes available, allowing the administrator to Approve or Deny the selected request(s).

When Approve is selected:

• the “Add Domain to Allowlist” modal window is displayed.
• the administrator can:
• force-enable the Allowlist (if it is disabled at Group Policy level in the Endpoint module and/ or add global allowlist to the Network Settings, for the Network module).
• select specific GPs or add the domain to the global allowlist (in the Endpoint module).
• after approval: the domain is added to the allowlist and the request is moved to the History view with the status Approved.

When Deny is selected:

• no allowlist entry is created.
• the request is moved to the History view with the status Denied.

The History sub view displays all previously submitted allowlist requests that were initially listed under Pending Approval, along with their final approval status.

Standard, Threat Type, Hostname/ Threats, Latest Threats, TTPC, Forensics DNS Security Endpoint & Network views consolidation

To simplify navigation and provide a more streamlined user experience, multiple DNS Security views - Standard, Threat Type, Hostname/ Threats, Latest Threats, Forensics and TTPC - have been consolidated into a single unified tab. This visual enhancement reduces UI clutter, allowing dashboard users to seamlessly switch between all sections from a single drop-down menu, improving visibility, navigation speed and overall efficiency.

Brand-new “Domain/Hits (blocks)” DNS Security Endpoint & Network view

A new view has been added under Products - DNS Security- Standard: Domain / Hits (Blocks). This view displays a list of unique malicious domains, sorted by default, in descending order, based on the number of hits (blocks).

Columns included in this view:

• Domain – the malicious domain name
• Threat Type – the associated threat classification
• Number of Hits (Blocks) – the total number of blocked requests for the specified domain

Freshly - implemented “Manual Blocklists” DNS Security Endpoint & Network view

Following the recent separation of infected domains from manually blocked domains, the introduction of a dedicated DNS Security view was the logical outcome. Previously, this distinction was managed through filters, within the Threat Type and Most Used Domains views. With the latest update, domain classification is now accessible through a structured view rather than relying solely on filtering options. This enhancement improves visibility, simplifies analysis and provides clearer separation between automatically detected and blocked threats and manually enforced domain blocks.

The new view is also available within the client specifics (Device Info - click a hostname - DNS Security - DarkLayer Guard™ Endpoint/ Network) providing improved visibility and easier access to manually blocked domains, prefiltered at hostname level.

DNS Security Endpoint & Network UX refinements & usability enhancements

5.3.3 PROD also brings targeted DNS Security UX and usability enhancements, making allowlist/ blocklist Endpoint/ Network Settings handling, category sorting and domain insights more intuitive and efficient. Among these smaller yet equally important enhancements, the following can be highlighted:

Import and export CSV option for Allowlist and Blocklist

Administrators can now import .csv files containing domain entries directly into the DNS Security Endpoint/ Network Allowlist or Blocklist and also export existing entries from these lists in the same format. This streamlines daytoday operations by enabling faster bulk updates & simplifies reporting and documentation in a more automated fashion.

Alphabetical sorting for Categories in the “Block by Category” multiselect list

We’ve added the ability to sort categories alphabetically (A-Z and Z-A) in the “Block by Category” multiselect list, making it easier to locate specific categories. Additionally, the example domains displayed for each category are now selected based on the highest number of hits (TOP 3), ensuring greater relevance and context for administrators.

Heimdal Patch & Asset Management

• File Risk Score in Patch & Assets -> Infinity Management with cloud-based threat analysis

To support safer deployment decisions, a new File Risk Score functionality has been introduced in Infinity Management.
Each file (patch) uploaded to the Private Patching Storage from Infinity Management, is automatically Cloud AV analyzed using multiple engines. Based on this analysis, a File Risk Score is assigned, providing clear visibility into whether a file is safe to use or potentially compromised.

The File Risk Score is available across key areas in Infinity Management:

• Private Patching Storage, for all uploaded files (patches)

• Application Definition page, for each patch

• Application Definition page, for each patch

• Patch Configuration modal, when selecting an associated file

A warning (exclamation-mark icon) will be displayed on the Infinity Management home page, if potentially vulnerable files are detected within the Private Patching Storage.

When a file is uploaded in the Infinity Management Private Patching Storage, a unique hash is generated and evaluated through an external, cloud-based scanning service. Based on the scan results from multiple AV engines, Heimdal assigns a File Risk Score intended to reflect the likelihood that the file may be harmful.

Note: Archive files (e.g., .zip) follow a dedicated scanning flow: specific file types commonly associated with executable or potentially malicious content are extracted and scanned, while the archive itself is also analyzed (via it’s own dedicated MD5 hash).

If a clear result cannot be determined, the following statuses may appear:

• Pending -> file not yet processed or awaiting a valid response from the dedicated API (the file scan is conducted asynchronously, meaning that File Risk Scores are not generated instantly and that the time required for a File Risk Score to be available may vary depending on factors such as file size, system load and external API response time).
• Not available -> the scan was inconclusive, the file was not found in data intel or an error occurred during processing (e.g., during hash calculation).
• N/A -> the file is not eligible for scanning (e.g., Heimdal Images).

This enhancement introduces multi engine threat visibility directly into the patch management workflow, supporting more informed deployment decisions and reducing the risk of deploying compromised files. 

With this update, Heimdal once again reinforces its commitment to safeguarding customer environments by strengthening detection capabilities and ensuring a more secure and informed software deployment process.

OS (Windows) Updates – Management of Click-to-Run updates

Starting with version 5.3.3 PROD, Heimdal now supports automated updating of Microsoft 365 ClicktoRun installations, making the coverage of our automated OS updates solution even wider. Because the ClicktoRun delivery model is based on AppV virtualization and differs fundamentally from traditional Office installations, it has until now required an independent servicing workflow. Heimdal now detects these installations automatically, performs silent version checks and deploys updates through a dedicated workflow integrated into the existing OS Updates lifecycle (Available → Pending → Installed). This ensures consistent handling, unified reporting and improved security and performance across Windows environments. 
To activate updates for Microsoft 365 Click-to-Run, navigate to: Endpoint Settings - Windows GPs (click on a GP) - Patch and Assets - Operating System Updates, locate the General Settings check box called “M365 Click-to-Run Updates” and enable it.

When the M365 Click-to-Run Updates setting is enabled in a Group Policy and an endpoint has a Microsoft 365 Click-to-Run update in one of the Available, Pending or Installed states, the update will be visible in the Patch & Asset Management - Operating System Updates product grids. This ensures centralized visibility and lifecycle tracking of M365 Click-to-Run updates alongside standard operating system updates.

3rd Party Patch Management – addition of CVE column in all the grids from the Assets view

To improve vulnerability forensics and ensure consistency and unification, a new CVE column has been added to Patch & Assets → 3rd Party Patch Management → Assets View (Windows OS). This update allows administrators to quickly see which applications are affected by known security vulnerabilities, directly from the main views and device details. The CVE column is available across all the Assets sub views, to ensure maximum visibility: Stacked, Non-stacked and Client Specifics (click hostname info and redirect to the Asset Management sub tab).

3rd Party Patch Management – ability to add sequencing order to Push Install apps.

To provide greater control and visibility over application deployment order, a new feature has been introduced in Endpoint Settings (Windows GP) - Patch & Assets - 3rd Party Patch Management, Manage applications grid. This feature allows administrators to influence the priority in which applications are pushed to the Heimdal Agent, without disrupting existing installation behavior.

A new “Sequence” column has been added to the afore mentioned grid:

• the Sequence column is displayed as the first column in the grid.
• the column is active and editable only when Push Install is enabled
• sequence values can be edited directly in the grid and must be set between 1 and 999.
• duplicate priority values are not allowed and input is validated to ensure correctness.
• the column supports ascending and descending sorting.
• if the Sequence field is left empty, the application is treated as having no priority and follows the existing push install behavior.

During a push installation, applications with Sequence values run first, sorted in ascending order, with the lowest values reaching the Agent first. Applications without a Sequence value follow the default installation path, maintaining workflow resilience and preventing single-app failures from blocking deployment. With the introduction of the Sequence column in Group Policy, administrators gain finer control over push install execution while maintaining stable and predictable installation workflows.

Other improvements & fixes:

PXE - Configurable Network Interface for OS Deployment

This release introduces a new Network Adapter (NIC) selection drop-down that allows IT administrators to choose the specific interface through which Network OS Deployment / PXE traffic is routed. With the ability to select the desired Network Interface Card, PXE broadcasts can be limited only to machines located in the same subnet as the chosen adapter, ensuring precise control over deployment traffic.
This enhancement provides greater flexibility, improves ease of use by simplifying targeting logic, and strengthens security by preventing unnecessary PXE exposure across unrelated network segments.